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setting support tool 1200 running on a remote server or processing unit. The agent 
program then retrieves, from the target processing unit, the association information 106, 
the installation information 105, and the object-sharing information 109 and sends 
them to the policy setting support tool 1200. The policy setting support tool 1200 in 
turn creates policy information 1310 and send them to the agent program, which finally 
saves them into the policy file 1220 inside the target processing unit. 

In the variant of implementation described above, the programs to be executed 
on information processing units or servers may be installed in their storages beforehand 
or, alternatively, be installed in their storages via a removable storage medium (not 
shown in any of the diagrams) or a communication medium G.e., a network or a carrier 
wave constituting a network). 

The specification and drawings are, accordingly, to be regarded in an 
illustrative rather than a restrictive sense. It will, however, be evident that various 
modifications and changes may be made thereto without departing from the spirit and 
scope of the invention as set forth in the claims. 

WE CLAIM: 

1. A policy setting support tool for creating, in a computer system equipped with 

an access control unit that controls access to computer-managed resources based on 
policies, said policies, said policy setting support tool comprising* 

an information database arranged by the kind of subject containing sample policies 
prepared as standard or recommended policies, an access log holding a history of the 
normal behavior of the subject, and installation information including the path to the 
subject installed in said computer system i 

an information database arranged by the kind of object containing association 
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information representing the subjects that are most frequently used to access it; 

an access monitoring unit for monitoring the behavior of the subject and recording it in 

said access log," 

a differential detection unit for collating said installation information with said sample 
policy and detecting the differences," 

a policy creation unit for creating a draft policy from said sample policy, said association 
information, and said differences detected by said differential detection unit; and 
a user interface unit for presenting said draft policy to the user, revising said draft 
policy as directed by the user, and saving the revised policy as the final policy. 

2. The policy setting support tool of claim 1, further comprising". 

a unit for creating a draft policy from one or more of said sample policy, said 
association information, and said access log, in accordance with the directions given by 
the user through said user interface unit, and 

a unit for setting up a policy by accepting requests for revising said draft policy 
and saving the revised policy. 

3. A policy setting support tool for maintaining, in a computer system equipped 
with an access control unit that controls access to computer-managed resources based 
on policies, said policies, said policy setting support tool comprising: 

an information database or a set of information database containing most 
up-to-date information regarding the subjects and objects of access,* 

a differential detection unit for collating the most up-to-date information 
regarding the subject and object of the access retrieved from said information database 
or said set of information database with the policies that are already set up, and 
detecting the items that need to be revised; 

a policy creation unit for creating a draft policy based on the result of detection 
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produced by said differential detection unit; and 

a user interface unit for presenting said draft policy to the user for visual 
confirmation and revising said draft policy as directed by the user. 

4. The policy setting support tool of claim 3, wherein said differential detection 
unit performs the collation and detection processing at regular intervals or at the 
demand of the user, and upon detecting any difference, presents it to the user through 
said user interface unit, and further wherein the user of said policy setting support tool 
visually checks said difference presented to the user, determines whether the policy 
should be revised as presented, revises it if and as necessary through said user interface 
unit, and saves the final policy. 

5. A policy setting support tool for creating, in a computer system equipped with 
an access control unit that controls access to computer-managed resources based on 
policies, said policies, said policy setting support tool comprising: 

an information database holding, for each object of access, information on the 
subjects that are most frequently used as a unit of access to it, and 

a unit for creating a policy from the information held in said association 
information. 

6. The policy setting support tool of claim 5, further comprising: 

a subject-specifying unit for specifying unit of access to the object according to 
its purpose, and 

a unit for creating said policy while designating the program specified by said 
subject-specifying unit as the subject that is permitted to access multiple kinds of object. 

7. The policy setting support tool of claim 5, wherein said computer system 
includes a collection of identifications of the subjects equipped with an object-sharing 
handling unit for sharing objects among multiple subjects and a collection of 
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object-sharing information listing the types of object that can be accessed by each 
subject, said policy setting support tool further comprising a unit for creating a policy 
that permits all or some of the types of access from a subject registered in said collection 
of object-sharing information to objects available to said subject. 

8. The policy setting support tool of claim 5, further comprising a unit for being 

notified by said access control unit of any access attempts violating said policy, for 
notifying the user of said computer system administering objects to be accessed about 
said access attempts, and for carrying out a process based on a judgment made by said 
user in response to the notification, wherein' 

said judgment made by said user is a choice between thereafter permitting all 
of said access attempts violating said policy, permitting said access attempt only this 
time, and prohibiting all of said access attempts violating said policy; 

in case said judgment made by said user is to thereafter permit all of said 
access attempts violating said policy, said process is to revise said policy so as to make 
said access attempts legitimate and to notify said access control unit of the legitimacy of 
said access attempts; 

in case said judgment made by said user is to permit said access attempt only 
this time, said process is to notify said access control unit of the legitimacy of said access 
attempt, without revising said policy,* and 

in case said judgment made by said user is to prohibit all of said access 
attempts violating said policy, said process is to notify said access control unit of the 
illegitimacy of said access attempts, without revising said policy. 

9. The policy setting support tool of claim 5, further comprising a unit for being 

notified by said access control unit of any access attempts to an object not registered in 
the collection of said policies coming from a subject associated with said object, for 
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notifying the user of said computer system about said access attempts, and for carrying 
out a process based on a judgment made by said user in response to the notification, 
wherein: 

said judgment made by said user is a choice between permitting and 
prohibiting said access attempt made to said object not registered in the collection of 
said policies coming from a subject associated with said object; 

in case said judgment made by said user is to permit said access attempt, said 
process is to revise said policy so as to make said access attempt legitimate and to notify 
said access control unit of the legitimacy of said access attempt; and 

in case said judgment made by said user is to prohibit said access attempt, said 
process is to notify said access control unit of the illegitimacy of said access attempt, 
without revising said policy. 

10, The policy setting support tool of claim 5, further comprising a unit for being 
notified by said access control unit of any access attempts coming from a subject which 
only partially matches the collection of said policies, for notifying the user of said 
computer system about said access attempts, and for carrying out a process based on a 
judgment made by said user in response to the notification, wherein: 

said judgment made by said user is a choice between permitting and 
prohibiting said access attempt made by said subject; 

in case said judgment made by said user is to permit said access attempt, said 
process is to revise said policy so as to make said access attempt legitimate and to notify 
said access control unit of the legitimacy of said access attempt; and 

in case said judgment made by said user is to prohibit said access attempt, said 
process is to notify said access control unit of the illegitimacy of said access attempt, 
without revising said policy. 
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